DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd January 2015
azarian azarian is offline
Port Guard
 
Join Date: Jan 2015
Posts: 12
Default Building a Firewall/Router prepurchase questions

resolved

Last edited by azarian; 20th May 2015 at 05:02 PM.
Reply With Quote
  #2   (View Single Post)  
Old 3rd January 2015
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

I had the same dilemma a few months ago. Went with the PC Engines APU as it was cheaper than Soekris and had known good hardware support.

There has been some debate if it can actually push a gig through the NICs, though. I don't have a need for that much throughput so I haven't paid that much attention to it. Worth looking it if the speed is an important factor for you.

The only other complaint is that they run hot. Mine is at 60C in a 58F house doing firewalling and running a service that eats 20% CPU pretty much all the time. I am a little worried about summer time.

Tim.
Reply With Quote
  #3   (View Single Post)  
Old 3rd January 2015
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Quote:
Originally Posted by azarian View Post
Now we will need gigabit speed on the lan side since we will be doing lots of transferring to / from a nas and lots of streaming from a digital media server to local media client box. In addition, we will also be upstreaming a 1280 x 720 feed of a surveillance camera on the back yard/alley. We will need it to keep up at a decent speed since it will be backed up to the cloud and we want the best video possible incase we need to identify a perp.
Upstreaming to whom? It is extremely likely any bottleneck would be the fault of your ISP or the network to which you're uploading and not the firewall.

Quote:
Originally Posted by azarian View Post
We currently have a 60mps from cable which claims to be 60up/4down Mbps.
You almost certainly have the up/down numbers backwards. Cable companies are usually generous with the down (how else are their customers going to stream Netflix?) and stingy on the up (to prevent you from being Netflix yourself).

Quote:
Originally Posted by azarian View Post
Now that said, I have been looking around and general consensus seems to be to use a Soekris 6501-50, a PC Engines APU1d or A Shuttle DS437/DS47 (I eliminated the DS61 due to not being fanless). So it should be fanless, have 1gbe nics, have an option for non-spinning disk storage for OpenBSD (ssd, mini ssd/pcie/minisata, or CF. Whichever has the best performance and longevity).
If you have to buy today I'd buy an APU1d. If you can wait until Q2 2015, the net6801-50 would be a massive upgrade to all of these options judging by looking up the different CPU specs in Intel ARK.

Quote:
Originally Posted by azarian View Post
I was going to pull the trigger on the PC Engines APU, but a lot of people bag on them for using Realtek nics. Although they appear to be supported under the OpenBSD kernel. Another concern I had was that these are coming straight outta China. Is anyone else concerned about the China factor?
Those Intel CPUs? They're likely fabbed in China. Same with your USB controllers. Same with your wifi... (and same for the Intel NICs too!)

Quote:
Originally Posted by azarian View Post
At my last gig, we were having hundreds of login attempts on our firewalls per day originating from China.
I'm assuming you mean SSH login attempts? This is why you only use key based logins and only permit use of the strongest options you can. And have a policy to ban all IPs with failed login attempts.

Quote:
Originally Posted by azarian View Post
Although my guess is the majority of the hardware we use is from China.
Yup.

Quote:
Originally Posted by azarian View Post
So I am at a loss as to where to proceed for the initial purchase of the hardware...
What are you using?
A Sun Ultra 5. But I only need 100Mbps speeds.

Quote:
Originally Posted by azarian View Post
Did I miss something on my list of options?
Nope. Other than the new Soekris if you're willing to wait.

Quote:
Originally Posted by azarian View Post
Do you have any experience with these devices, if so have you experienced any issues or networking dilemmas?
The APU1d runs HOT. That's why the case was designed to be a giant heat sink. I've heard black works slightly better than red. Either way make sure to buy the appropriate case for it.

Quote:
Originally Posted by azarian View Post
Would i be disappointed if I bought the PC Engines box?
Probably not.
Reply With Quote
  #4   (View Single Post)  
Old 3rd January 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I'm running prior generation PC Engines gear: Alix 2d3s. These are 500Mhz AMD Geode (Cyrix) processors with 256MB RAM, with vr(4) 100BaseT NICs. Unlike the new APUs, these don't run hot. PC Engines has been a pleasure to deal with for both initial delivery and a follow on hardware problem (Compact flash memory card DOA) and I'm very happy with their performance (230Mbps / 5Kpps) ... but like ibara, I only require 100Mbit on any Ethernet segment.
Reply With Quote
  #5   (View Single Post)  
Old 3rd January 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

If you don't want to spend more than $100 I would get used Intel Atom fanless MiniITX Supermicro server with dual Intel gigabit from these guys UNIXsurplas/. New can be found on e-bay $250. I would stick into it $20 32GB SSD.

If you want something really fancy I like Axiomtek hardware but they go $500 and above. Essentially you are paying premium price for a nice design.
Reply With Quote
  #6   (View Single Post)  
Old 4th January 2015
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Quote:
I was going to pull the trigger on the PC Engines APU, but a lot of people bag on them for using Realtek nics. Although they appear to be supported under the OpenBSD kernel. Another concern I had was that these are coming straight outta China. Is anyone else concerned about the China factor?
The engineer who designs and sell the PC Engines stuff is a Swiss. Just for saving costs, like 99.99%, of all computer product manufacturers, he outsources production to what is probably a Taiwanese manuctacturer, who has a factory in China. The wages in China are most lower than in Taiwan.

The only reason the PC Engines APU features Realtek NIC's, instead of Intel ones, is to keep the price low and IIRC also the power consumption.

In the beginning of 1990 my wife and I set up European headquarters of a large Taiwanese computer manufacturer, so I know the industry. All so-called "American" computer companies outsource their production to Taiwanese, or nowadays also Chinese, companies. You have hundreds of companies, that just manufacture products designed by third parties. Many of them also offer extended services, like converting schematics into a four-layer of six-layer PCB design or turn a product specification into a design.

So please ignore the marketing crap that makes you believe that things are made in USA.

Without all those Taiwanese engineers, of which many studied in the USA, and started computer companies in Taiwan, we would not have these computer product that seems to be an indispensable part of our daily parts. Their pricing strategy was not based, on "what is the market willing to pay for product A", but by calculating their cost, add a profit margin and just sell.

I have heard factory managers complain about their sales people who sold too low. In order to still make a profit he had to use lower-grade components than originally planned. So only if a company slams down the price too much, you get lower quality products. Like the capitalist adagio says "You get what you pay for"
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #7   (View Single Post)  
Old 4th January 2015
raindog308 raindog308 is offline
Fdisk Soldier
 
Join Date: Sep 2011
Posts: 67
Default

Quote:
Originally Posted by azarian View Post
At my last gig, we were having hundreds of login attempts on our firewalls per day originating from China. Although my guess is the majority of the hardware we use is from China.
Most of my Internet-facing servers would have hundreds if not thousands of login attempts from China per day if I ran SSH on port 22. Public-facing hosting systems usually block dozens of IPs per day (via fail2ban, etc.) on IMAP/POP/etc. ports because people try to brute force logins.

Tons of skiddies running scripts in China - about 95% of the bruce force blocks I see originate from China. It has nothing to do with hardware if that's what you were asking. Put any server on the Internet with port 22, etc. open and you will eventually get people knocking on it.

As someone already said, you should allow only key-based SSH access. Of course, do you really need ssh open to the Internet on your home router? Sometimes people like this - run a dyndns client and then you're able to access your home servers over SSH when you're traveling. But if you don't, simply don't allow ssh to run on your WAN interface.

If you do run it on your WAN interface, I recommend changing the ssh port. This is extremely common on public-facing systems. While it is security by obscurity (someone with the slightest determination will find your ssh port), the vast majority of Chinese skiddies will see if 22 is open and, if not, move on to the next IP, so you can effectively filter out a ton of attempts.

Beyond that, ban IPs with multiple failed login attempts as mentioned.
Reply With Quote
  #8   (View Single Post)  
Old 4th January 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by raindog308 View Post
If you do run it on your WAN interface, I recommend changing the ssh port. This is extremely common on public-facing systems.
That is a really poor unsolicited advise. I thought that we were discussing firewall hardware purchase not ssh brute force attack mitigation techniques I would suggest you do some reading on misc@openbsd and learn at least some arguments against changing default SSH port.
Reply With Quote
  #9   (View Single Post)  
Old 7th January 2015
azarian azarian is offline
Port Guard
 
Join Date: Jan 2015
Posts: 12
Default

So while i appreciate the lesson on politics of outsourcing and security, can we go back to the OP and discuss hardware?

PC Engines out. Too many negative reviews.
Shuttle out. Realtek nics.
Soekris still in running, but looks outdated for pice and not able to wait till Q2/2015 with price unknown.
Came across this little box (BLKD2500CCE w/ Intel Atom BGA559, Mini ITX form factor, intel nics) and wondering if it would be a mistake to get it over the soekris?
Reply With Quote
Old 8th January 2015
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Quote:
Originally Posted by azarian View Post
PC Engines out. Too many negative reviews.
I think this is a mistake but I'm not the one buying.

Quote:
Originally Posted by azarian View Post
Came across this little box (BLKD2500CCE w/ Intel Atom BGA559, Mini ITX form factor, intel nics) and wondering if it would be a mistake to get it over the soekris?
The GPU on that machine is a PowerVR which means no support (now or ever) if you at some point want to convert it to a desktop machine.
Reply With Quote
Old 8th January 2015
azarian azarian is offline
Port Guard
 
Join Date: Jan 2015
Posts: 12
Default

Quote:
Originally Posted by ibara View Post
I think this is a mistake but I'm not the one buying.
I was really headed towards the PC Engines, but the more I read, the more I see people having issues. I wish it had intel em cards are broadcom as it looks like a great firewall device.

Quote:
Originally Posted by ibara View Post
The GPU on that machine is a PowerVR which means no support (now or ever) if you at some point want to convert it to a desktop machine.
I have linux stations, mac stations, editing stations, irix stations, win xp, 7 ent and bsd workstations. This would be solely used for a low energy/silent firewall/router connecting my ISP to my lan with one port dedicated as DMZ. Would this fit the bill? Even though I will be using OpenBSD/PF, it seems that the pfsense people like them.

Thanks for the quick response!
Reply With Quote
Old 8th January 2015
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Quote:
Originally Posted by azarian View Post
Would this fit the bill? Even though I will be using OpenBSD/PF, it seems that the pfsense people like them.
It looks more than sufficient.
Reply With Quote
Old 8th January 2015
azarian azarian is offline
Port Guard
 
Join Date: Jan 2015
Posts: 12
Default

Quote:
Originally Posted by ibara View Post
It looks more than sufficient.
Just to clarify, you are speaking about the LKD2500CCE w/ Intel Atom BGA559, Mini ITX form factor, intel nics?
Reply With Quote
Old 8th January 2015
azarian azarian is offline
Port Guard
 
Join Date: Jan 2015
Posts: 12
Default

Also any reason to go soekris over the LKD2500CCE w/ Intel Atom BGA559, Mini ITX besides 2 extra ports?
Reply With Quote
Old 9th January 2015
ibara ibara is offline
OpenBSD language porter
 
Join Date: Jan 2014
Posts: 783
Default

Quote:
Originally Posted by azarian View Post
Just to clarify, you are speaking about the LKD2500CCE w/ Intel Atom BGA559, Mini ITX form factor, intel nics?
Yes.

Quote:
Originally Posted by azarian View Post
Also any reason to go soekris over the LKD2500CCE w/ Intel Atom BGA559, Mini ITX besides 2 extra ports?
Yes. If you purchase the Soekris exactly $0.00 of your purchase will go to PowerVR, a company that is actively hostile towards Free Software communities. It is the same reason you should never buy Nvidia.
Reply With Quote
Old 9th January 2015
azarian azarian is offline
Port Guard
 
Join Date: Jan 2015
Posts: 12
Default

1) sorry for the confusion, but would the LKD2500CCE be a solid purchase for running pfsense or openbsd as a firewall? The only negative is a political opensource one?

2) does the soekris box (over 4 years old) have any advantages that the LKD2500CCE does not?
Reply With Quote
Old 10th January 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Soekris box has no advantage over the board you are proposing. I looked the spec and it looks great. You can add another 2x1Gb Intel PCI Lan controller for $10. It is actually a great buy IMHO.
Reply With Quote
Old 15th January 2015
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

This was mentioned in the OpenBSD-misc mailing lists recently and if it holds up looks enticing.
Reply With Quote
Old 16th January 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by shep View Post
This was mentioned in the OpenBSD-misc mailing lists recently and if it holds up looks enticing.
Have you read the entire thread? Go back and read Christian Weisgerber comment.
Reply With Quote
Old 16th January 2015
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

Quote:
Have you read the entire thread? Go back and read Christian Weisgerber comment.
I think I used Christian Weisgerber "enticing" description.

The original poster was interested in Gigabit LAN's (at least 2), Fanless and a 1280x720 video output. I would share the concern about heat as the case looks "tight". Power consumption is on a par with the PC engines Geode CPU's. Each NIC adds about 1.3 watts

When I read the mailing, I recalled this thread and linked it as an option. The original poster would be on new ground. The 5 year warranty would minimize some of the risk. If the OP documents the results (including operating temps) they could be of interest to the manufacturer. Perhaps Fitlet would even supply an example for testing. A successful trial would increase their market.

Quote:
Power Consumption

The power consumption of the entire SoC is rated at 4.5 watts TDP (SDP: 2.8 W). Thus, the APU is suitable for passively cooled tablets.

Series AMD A-Series
Codename Mullins
Clock Rate 1000 - 1600 MHz
Level 1 Cache 256 KB
Level 2 Cache 2048 KB
Number of Cores / Threads 4 / 4
Max. Power Consumption (TDP = Thermal Design Power) 4.5 Watt
Manufacturing Technology 28 nm
Features SSE (1, 2, 3, 3S, 4.1, 4.2, 4A), x86-64, AES, AVX, Single-Channel DDR3L-1333a
GPU AMD Radeon R3 (Mullins/Beema) (? - 350 MHz)
64 Bit 64 Bit support
Hardware Virtualization VT
Announcement Date 04/29/2014
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pf firewall, is it a bridge or router? tomp OpenBSD Security 8 17th August 2011 06:12 PM
dmz and firewall questions unixjingleman OpenBSD Security 3 3rd January 2011 06:12 PM
Is there a purpose for using pf if you have a hardware router/firewall? guitarscn OpenBSD Security 9 23rd January 2009 12:22 AM
Wireless Router Compat questions whispersGhost Solaris 11 2nd June 2008 09:16 AM
Firewall Hardware Questions gunderwood OpenBSD General 3 15th May 2008 03:50 AM


All times are GMT. The time now is 05:28 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick